Ransomware and how to avoid it

Clouds SecurityThere have been a lot of stories recently in the technical and mainstream press about ransomware. While they admirably cover the details (and generate a fair amount of anxiety in doing so), even the articles in the technical press tend to be vague on what you can do to stop or mitigate ransomware.

So, after a brief survey of the situation, I’ll try to address some of those issues. There are no simple answers, but carrying out the suggestions should make your organisation and its systems more resilient to a wider range of issues than just ransomware.

TL:DR Ransomware is nasty but can be counteracted with good IT administration practices.

What is ransomware?

Ransomware is malicious computer software that results in the user being asked for money. It can affect desktops, laptops, servers and phones.

Less sophisticated ransomware will lock out your browser or entire device and demand payment to remove the lock. Th payment is often presented as a fine and is localised to the target, for example using specific police force names and logos in the UK; or sometimes masquerades as a product activation fee.

More worrying is the breed of ransomware that encrypts important files stored on the device and demands payment to restore access. Files targeted typically include documents, images (a common target on phones) and database files. The files will be unreadable until a fee is paid to decrypt them. Encrypting ransomware has been documented for 25 years, but there has been an explosive rise in the last year making use of increasingly sophisticated encryption schemes [1], anonymous networks such as Tor and anonymous currencies such as Bitcoin. If your device is infected, there is little option except to pay up (and hope the decryption works [2]) or restore from a backup.

Most recently, cases have been documented where administrative access to a server or website has been used to put an encryption layer between an application and its database. This is difficult to detect as long as the offsite encryption key is available. As soon as the attacker removes the key from their own server, the application will typically fail or important features will not work depending on the data chosen for encryption. The attackers will then ask for money to decrpyt the database.

What’s the ransom?

Typical amounts asked for range from $10 for popup removal or browser unlocking; hundreds of dollars for file decryption; and, reportedly, $50,000 for database decryption.

How does ransomware get in?

On desktops, ransomware is a secondary payload after a computer has been compromised. Vulnerabilities in PDF files, browsers, Java and, increasingly, Flash and Silverlight are exploited to gain access. The initial compromise is triggered by opening a malicious document or visiting a compromised website, usually via an email attachment or email link. The email will sometimes appear to come from a colleague or business associate whose computer has already been infected.

On phones, the most popular route is via malicious apps downloaded from third party sources, often pornography sites.

There are not many well documented cases on servers but the information released so far suggests that web application vulnerabilities or stolen passwords have been used to gain administrative access and that there is a degree of targeting and human control not seen on other devices.

How can you counteract ransomware?

Your main line of defence is an information security policy – a set of procedures which (this is the important part) your organisation actually follows. However small the organisation, there needs to be an understanding of the issues and an agreement on how to address them from board or owner level all the way down.

The UK government has a very clear series of documents on “Cyber security guidance for business” which covers the ground well and identifies how to reduce your exposure in ten critical areas:

  1. Establishing an information risk management regime
  2. Securing the configuration of hardware and software, at installation and by ongoing patching and updating
  3. Managing network security to protect your internal network
  4. Managing user privileges
  5. Managing user education and awareness
  6. Responding to incidents
  7. Preventing malware
  8. Monitoring
  9. Controlling removable media
  10. Managing home and mobile working

I’m not going to restate all the advice on that site – it should be fairly obvious for example that having functioning anti-virus scanning, email scanning and a firewall is going to help a lot. But I do want to highlight a few areas.

Establishing an information risk management regime

Establishing an information risk management regime sounds like a boring, box-ticking exercise. But it’s actually a vital starting point and sits at the centre of your entire defence.

You need to assess your organisation’s risk appetite. Are you conservative or cutting edge? Do you have any statutory obligations with regard to data security?

You need to know the impact of a risk. Do you have a public website which contains transactional data (an online store or booking system) or performs a key business function (a product support forum). If so, the impact of a server-based ransomware attack could be fairly high. Do users have irreplaceable documents or data on their computers or on network resources they have direct access to? If so, the impact of a typical ransomware infection could be high too.

Finally, you need to know the probability of a risk. In the case of a ransomware infection that’s difficult to express with any certainty, but the probability will definitely be reduced by addressing the other nine items on the government’s list.

In classic project risk management, you would combine those factors using a risk matrix to decide how to deal with the risk. In the case of an external threat such as ransomware, your options are more limited but understanding your situation will help you to decide how much time and effort should be expended on preventing or mitigating the risk.

Securing your configuration

Most software manufacturers are pretty good at patching their products against exploits when they find out about them. Browser manufacturers in particular are trying to make updating less of an issue in users’ minds by “accelerated versioning”. The version become so little of an issue that I had to check my copy of Mozilla Firefox to find out it was 36.0. By increasing the major version number regularly, users are less likely to postpone updates because it seems to matter less. That’s good for security – again and again, it is browser flaws and browser plugin flaws which have been used by malware writers as a way into systems. [3]

The other side of that bargain is that users (and their administrators) have to install those updates as soon as possible in order to close the exposure window and keep the risk probability down. Larger organisations will need to look at automated systems, or at least centralised configuration, to handle the patching. (They will also need to make sure the time their IT staff spend on those everyday tasks rather than more high profile projects isn’t seen as wasted.) For smaller organisations, it may just be a matter of finding the settings that say “Automatically install updates” and ticking them. Recovering from the occasional problem caused by a badly tested patch will be nowhere near as painful as recovering from a major infection.

This also applies to web and other application servers. Whether you’re running WordPress, Sitecore or something handcrafted, you need to keep the software and its libraries up to date. Internet connected sites are regularly scanned by automated scripts looking for vulnerable versions of software. Make sure you don’t end up on a list of sites worthy of closer attention.

Responding to incidents

Buried in this section is the recommendation that you take regular backups. If the threat to be countered is the removal of access to your files because they’ve been encrypted, this has to be one of your main priorities. A good backup may well allow you to clean the infection and then restore. Also consider how documents are stored – it’s probably easier to set up systems and policies that mandate centralised storage than it is ensure every single device is regularly backed up.

Monitoring and auditing

Setting up monitoring and auditing of your systems might seem like ‘closing the stable door’ as a response to malware attacks and other intrusions. But as well as generally allowing you to be more preventative than reactive in your IT response, monitoring systems can help you help you keep track of software versioning and bring to light unusual activity – some of which might be triggered by malware.

In particular, monitoring files for unexpected changes would have revealed the server encryption attack almost immediately and before it could cause too many problems. File integrity monitoring software works by recording a baseline checksum for a file and then periodically comparing the current checksum. Any changes to the contents of the file will be detected and an alert raised.

This obviously doesn’t work well for regularly changing files but for files such as web aplication software that you would only expect to change when there is a planned update, this approach works very well. Products like Tripwire have been part of the enterprise server administrator’s toolbox for a long time and even systems like WordPress have effective file monitoring plugins if you choose to use them.

Practical steps

From a practical point of view, there are two aspects to countering ransomware – stopping it getting in and having a fallback if it does.

On desktops, you would broadly use the same tactics as for all viruses and malware:

  • Install anti-malware software, keep it up to date and make sure it actively scans
  • Keep your applications and operating systems up to date, paying particular attention to applications exposed to the internet such as browsers and Flash
  • Use email filtering software to keep email-borne malware from getting to the mail client at all
  • Educate your users to be wary of any unsolicited mails which expect you to open documents or follow links

On phones

Servers can be protected by fairly standard administration practices:

  • Implement restrictive firewall policies
  • Carry out regular application and OS security patching
  • Use file monitoring software to detect unauthorised changes to files
  • If you allow remote access to servers via ssh or ftp, use public keys (ideally) or IP whitelists
  • Carry out regular database backups with periodic restores to a ‘clean’ system
  • Allow a third party to perform a periodic security review and/or penetration test

How many of these you apply will depend on the value of your data and your organisation’s risk appetite. They all come with some cost, but probably nothing like the overall cost of a serious incident.

Footnotes

[1] A recent dissection of CTB-Locker, a particularly sophisticated type of ransomware, showed that it uses three levels of encryption key. The middle level key, the one you will need to decrypt your files, is sent to the remote system before being removed from your device. But it itself is encrypted by the highest level key before transmission, meaning even if you knew what was happening and intercepted the transmission, it still wouldn’t help you as you wouldn’t be able to decrypt the middle level key.
Back

[2] The decryption is usually automated and some ransomware varieties have a ‘try before you buy’ feature that decrypts a selection of files (or at least claims to) before you pay to decrypt the rest. But even if the intention is to decrypt files upon payment, the control mechanisms could have been disrupted by the authorities (in this case likely to be a some combination of national law enforcement, security and antivirus companies, and manufacturers such as Microsoft) meaning that the decryption fails.
Back

[3] If you have some programming knowledge, this article on how a small flaw in Flash can be turned into a system-wide exploit is a real eye opener.
Back